Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auth*: Dispelling the Myths

Auth*: Dispelling the Myths

There's a lot of bad practices and myths floating around about authentication and authorization these days. Using passwords just isn't good enough anymore. Come with me as I explore and dispel some of these common misconceptions and myths about these two important and often misunderstood topics. I'll talk about some of the most common techniques and look forward to tools and options that can help make your applications even more secure.

@ SkiPHP 2013

Chris Cornutt

January 18, 2014
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. AUTH*
    DISPELLING THE MYTHS
    @enygma - SkiPHP 2013
    1
    Saturday, January 18, 2014

    View Slide

  2. 2
    Saturday, January 18, 2014

    View Slide

  3. AUTHENTICATION
    3
    Saturday, January 18, 2014

    View Slide

  4. ...the act of confirming
    the truth of an attribute
    of a datum or entity
    [and] often involves
    verifying the validity of at
    least one form of
    identification.
    AUTHENTICATION
    source: wikipedia
    4
    Saturday, January 18, 2014

    View Slide

  5. Confirming identity
    A satisfactory “yes” or “no”
    Impossible...in theory
    What about anonymous?
    no, not *that* Anonymous...
    AND...
    5
    Saturday, January 18, 2014

    View Slide

  6. TYPES
    Username/password
    Two-factor
    OpenID Connect
    Biometrics
    Security Question
    6
    Saturday, January 18, 2014

    View Slide

  7. AUTHORIZATION
    7
    Saturday, January 18, 2014

    View Slide

  8. ...is the function of
    specifying access rights to
    resources, which is related
    to information security and
    computer security in general
    and access control in
    particular.
    AUTHORIZATION
    source: wikipedia
    8
    Saturday, January 18, 2014

    View Slide

  9. Principle of Least Privilege
    Coarse vs fine-grained
    Think “rule” not “role”
    AND...
    9
    Saturday, January 18, 2014

    View Slide

  10. TYPES
    Access control lists (ACL)
    Role-based access control (RBAC)
    Attribute-based control
    Policy enforcement
    Discretionary controls
    Mandatory controls
    10
    Saturday, January 18, 2014

    View Slide

  11. MYTH #1
    Multi-factor will keep us safe
    11
    Saturday, January 18, 2014

    View Slide

  12. SILVER BULLETS
    Not a “cure all”
    Yet another hoop
    Different implementations
    Hardware versus Software
    12
    Saturday, January 18, 2014

    View Slide

  13. IT’S GOOD AT...
    Being a backup method,
    not a replacement
    Increasing confidence in users
    Helps with compliance
    13
    Saturday, January 18, 2014

    View Slide

  14. IT’S NOT
    GOOD AT...
    Being the only method
    Preventing out-of-band attacks
    Stopping other attacks
    (ex. SQLi on login)
    Preventing provider (IdP) issues
    14
    Saturday, January 18, 2014

    View Slide

  15. MYTH #2
    It’s just a password, right?
    15
    Saturday, January 18, 2014

    View Slide

  16. PASSWORD
    BALL & CHAIN
    Ancient origins
    Just feels ancient today
    New app? Use a password?
    Password policies
    16
    Saturday, January 18, 2014

    View Slide

  17. WHY
    PASSWORDS SUCK
    Shared across services
    Restrictive policies
    Too much work on “getting it right”
    Users are no good at them
    Cracking hardware is cheap
    17
    Saturday, January 18, 2014

    View Slide

  18. 18
    Saturday, January 18, 2014

    View Slide

  19. PASSWORD
    CRACKING
    Offline attack
    Dictionary/guessing
    Brute force
    Key casting
    Cloud services
    ....and password policies
    19
    Saturday, January 18, 2014

    View Slide

  20. 20
    Saturday, January 18, 2014

    View Slide

  21. 21
    Saturday, January 18, 2014

    View Slide

  22. PASSWORD
    POLICIES
    Number/Lower/Upper/Special
    Reduce repeated characters
    Length > Complexity
    Use slow algorithm
    Salt and hash (at the least)
    22
    Saturday, January 18, 2014

    View Slide

  23. source: xkcd.com/936
    23
    Saturday, January 18, 2014

    View Slide

  24. MYTH #3
    Internal vs Cloud - Epic Battle
    24
    Saturday, January 18, 2014

    View Slide

  25. 25
    Saturday, January 18, 2014

    View Slide

  26. 26
    Saturday, January 18, 2014

    View Slide

  27. INTERNAL
    More control
    More traditional options
    Easier to customize
    Hardware costs/infrastructure
    Too many tools
    Less stringent on encryption
    27
    Saturday, January 18, 2014

    View Slide

  28. EXTERNAL
    Standardized auth methods
    Agility & flexibility
    Cost savings
    High encryption/protection
    Less “control”
    Limited to provider options
    28
    Saturday, January 18, 2014

    View Slide

  29. CONNECTING
    SAML (Markup)
    “Vaulted” POST request
    Multi-factor integration
    Federated identity
    Custom API
    29
    Saturday, January 18, 2014

    View Slide

  30. CRITERIA
    Easy integration
    Scalability
    Provisioning integration
    User authentication methods
    Monitoring & management
    30
    Saturday, January 18, 2014

    View Slide

  31. MYTH #4
    The Auth that Wasn’t
    31
    Saturday, January 18, 2014

    View Slide

  32. OWASP Top 10
    A2: Broken Auth/Session
    Management
    A4: Insecure Object References
    A6: Sensitive Data Exposure
    http://bit.ly/owasptop10-2013
    32
    Saturday, January 18, 2014

    View Slide

  33. Bad Practices
    Sending plain-text passwords
    Sensitive data in the URL
    Informative error messages
    No throttling on resets
    or registrations
    or password failures
    33
    Saturday, January 18, 2014

    View Slide

  34. DON’T...
    Obscurity !== Security
    Share logins
    Use default credentials
    Plain-text
    34
    Saturday, January 18, 2014

    View Slide

  35. MYTH #5
    But we have...
    35
    Saturday, January 18, 2014

    View Slide

  36. Integrated systems
    Firewalls
    WAF
    Encryption
    HARDWARE &
    SOFTWARE
    36
    Saturday, January 18, 2014

    View Slide

  37. HAVING
    USING
    and
    are not the same
    37
    Saturday, January 18, 2014

    View Slide

  38. FIXING AUTH
    Planning for Security
    38
    Saturday, January 18, 2014

    View Slide

  39. Defense in Depth
    Logging & auditing
    Fail securely
    Least privilege
    PRINCIPLES
    39
    Saturday, January 18, 2014

    View Slide

  40. Audit of current components
    Gather usage data
    Plan, plan then plan some more
    Easier in hindsight
    REALIGNMENT
    40
    Saturday, January 18, 2014

    View Slide

  41. Think “Subject” not “User”
    Narrowing the options
    Pick the right fit,
    not the shiny one
    Plan for delegation
    LOOK AHEAD
    41
    Saturday, January 18, 2014

    View Slide

  42. More than one level?
    What to protect?
    Is it the same everywhere?
    Policies/procedures
    Reduce the overhead
    IN DEPTH
    42
    Saturday, January 18, 2014

    View Slide

  43. IDENTITY IS
    HARD
    43
    Saturday, January 18, 2014

    View Slide

  44. Questions or comments?
    @enygma
    https://joind.in/10438
    THANKS
    44
    Saturday, January 18, 2014

    View Slide